Stories
Slash Boxes
Comments

SoylentNews is people

Surveillance Firm Asks Mozilla to be Included in Firefox's Certificate Whitelist

posted by mrpg on Tuesday February 26 2019, @09:49AM   Printer-friendly
from the ?¿?!!¡¡ dept.

upstart writes:

Submitted via IRC for chromas

Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist

[...] The vendor is named DarkMatter, a cyber-security firm based in the United Arab Emirates that has been known to sell surveillance and hacking services to oppressive regimes in the Middle East

[...] On one side Mozilla is pressured by organizations like the Electronic Frontier Foundation, Amnesty International, and The Intercept to decline DarkMatter's request, while on the other side DarkMatter claims it never abused its TLS certificate issuance powers for anything bad, hence there's no reason to treat it any differently from other CAs that have applied in the past.

Fears and paranoia are high because Mozilla's list of trusted root certificates is also used by some Linux distros. Many fear that once approved on Mozilla's certificate store list, DarkMatter may be able to issue TLS certificates that will be able to intercept internet traffic without triggering any errors on some Linux systems, usually deployed in data centers and at cloud service providers.

In Google Groups and Bugzilla discussions on its request, DarkMatter has denied any wrongdoing or any intention to do so.

The company has already been granted the ability to issue TLS certificates via an intermediary, a company called QuoVadis, now owned by DigiCert.

Also at Electronic Frontier Foundation

Original Submission

 
This discussion has been archived. No new comments can be posted.
Surveillance Firm Asks Mozilla to be Included in Firefox's Certificate Whitelist | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by zocalo on Tuesday February 26 2019, @02:51PM

    by zocalo (302) on Tuesday February 26 2019, @02:51PM (#806935)
    This would apply to the operators of gTLDs and ccTLDs, not all the myriad owners of random "company.com" type domains, or whatever. I'd like to think that the former group at least know how to setup DNS properly, although realistically all they need to do is run some servers (albeit potentially quite beefy ones), delegate sub-domains, and optionally implement DNSSec, so not exactly getting into the technical weeds of everything that DNS can do. e.g. if you are the operator of .com (Verisign) you could either opt to be the sole CA for all domains bought within the .com gTLD (ka-CHINGGG!) and/or delegate that out to one or more approved CAs, so they could (for instance) allow Thawte to issues certs for .com domains but deny Comodo the right to doing so.

    A nice idea in a way since root CAs are meant (in theory at least) to be partly responsible for downstream CAs using their certs, and it might also encourage more TLD operators to run a cleaner ship (there's probably no helping some of the "random word" gTLD cesspits out there though), but potentially hugely anti-consumer as it's likely to see prices for certificates on some domains spike considerably with the removal of competition.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3